Kyocera Mita multifunction devices come with the ability to scan to the user's desktop. Part of the solution requires a listener at the PC/Mac, which handles authorization and document upload. This listener has several logic bugs and, as a result, the authorization can be bypassed, files can be uploaded, auditing can be spoofed, and the storage location can be altered from the configured value.
Vulnerable Systems:
* Kyocera Mita Scanner File Utility version 3.3.0.1
Unauthorized document upload - The listener works in conjunction with the multifunction device to authorize the user. If an attacker connects direct to the listener with a custom program, all authorization can be bypassed. This provides an attacker with the ability to directly upload a file to the target's computer.
File Redirection - During the transfer process, the file name is provided to the listener. This name can be altered to include "../", which causes the listener to break out of the specified file storage location and allows an attacker to upload a file anywhere on the target system.
Upload any file type - There are no checks in the listener to validate the content of the uploaded file. As a result, an attacker can upload any file type with any file name. When combined with the other bugs, this give the attacker the ability to overwrite existing files, or write a binary into the Startup Folder.
